ThreatStryker uses the Cyber Kill Chain to model the progress of potential attack, from Reconnaissance to Exfiltration, and assigns a risk measurement to attack events. ThreatStryker raises notifications, and can also perform automated actions once a suspected attack reaches a threshold in the Kill Chain.

The sources of identified bad network traffic can be automatically detected and firewalled, using the local networking tools (Kubernetes CNI, eBPF). ThreatStryker can block specific sources, external or internal, in order to neutralize an attack and prevent lateral spread.

ThreatStryker correlates network activity and on-host events (file and process integrity) to judge whether or not a host or container is tainted. ThreatStryker can then execute corresponding quarantine actions to isolate, terminate, or restart the workload.

Many attacks build up over a long period of time. An attacker may compromise one service or workload, and explore to find other targets. ThreatStryker archives suspicious behavior over long periods of time to build a picture of the increasing risk, and provide information for forensic investigation.